Podcast – Smart Vehicle Security: A Report from the Lab

the U.S. Justice Department has formed a threat analysis team to study potential national security challenges posed by self-driving cars, medical devices and other Internet-connected tools.

In-brief: In this Security Ledger podcast, Paul speaks with Sameer Dixit of Spirent Security Labs, a leading tester of connected (“smart”) vehicles. Truly secure, connected vehicles may be years away, he says. In the meantime, security flaws and poorly implemented features are a major issue, Dixit says, with many car companies still preferring bolt on security fixes over secure design.

In just the last decade, vehicles of all makes and models have been transformed from moderately intelligent, disconnected machinery to super-sophisticated, Internet connected endpoints. Sensors and interactive features have sprouted like dandelions: from bluetooth enabled entertainment systems to driver assistance technology that can literally steer the car, or ease you into a parallel parking space.

But connected vehicles position at the vanguard of the Internet of Things also paints a big target on their back. Security researchers like Charlie Miller and Chris Valasek have already shown how the combination of Internet connectivity and older, pre-Internet networking technology can combine to create potent attack vectors for would-be cyber criminals and nation-state actors. Vehicles sport some of the world’s largest and most complex supply chains for both hardware and software. Those, too, are susceptible to compromise.

And, unlike other connected products, connected vehicles weight thousands of pounds and regularly drive around at 70 miles per hour, putting life and limb at risk and reducing the margin of error for software induced problems to fractions of a second.

Connected car manufacturers and suppliers need to respond by adopting a uniform security framework for connected vehicles, the Cloud Security Alliance concluded in a report released last week. “In the near future, connected vehicles will operate in a complex ecosystem that connects not only vehicles between each other and the traffic infrastructure, but also with new forms of connectivity and relationships to cloud-based services, smart homes, and even smart cities,” said Brian Russell, Chair of the CSA IoT Working Group.

But what is the state of connected vehicle security? And what steps are car companies taking to address these issues? The Security Ledger sat down with Sameer Dixit to find out. Sameer is the Senior Director, Security Consulting at Spirent, where he leads the ethical hacking and security research team called Spirent Security Labs. Sprient is a UK-based testing and measurement company to provides security consulting services, assessment and monitoring to leading automakers.

Sameer reports that security problems are rife in vehicle systems – some of them trivial to exploit. One example: a mobile application developed by a major automaker required only the vehicle ID number (or VIN) to authenticate to the car. But VINs are hardly protected information – they are readily viewable through the front windshield of a vehicle and can be looked up in the U.S. through state department of motor vehicle websites.

The auto industry, he says, is still making the transition to secure by design principles and is saddled with a legacy of security optional technology or “bolted on” fixes for known security issues that will do little to stem attacks.